Dealing with Microsoft licensing is a pain—it’s arcaic, someone is always getting a raw deal, and there’s nothing anybody can do about it because Microsoft is a monopoly. It’s natural, then, to be worried about the possible fallout from BYOD and consumerization. But while consumerization does bring the potential for increased licensing costs, does this even matter in a world of SaaS and new mobile platforms?
The licensing issue
Since I’m not a licensing expert, I spent about three days tearing out my hair trying to figure out the answer to just two questions: what scenarios require extra VDA licenses for mobile devices, and how does licensing Office work when it's accessed from mobile devices? I finally gave up and sought out Nathan Coutinho, a previous BriForum speaker and data center virtualization evangelist, and it even took him a bit of poking around to find clear answers to these questions. (Disclaimer: Nathan doesn’t work for Microsoft, so he can’t read the minds of the people that wrote the licensing language. To go straight to the source for this information, check out Microsoft.com/licensing.)
I wanted to understand what could happen when employees used personally-owned mobile devices or laptops to access a virtual desktop, either from home or the office. It turns out that both ‘who’ owns the device and ‘where’ its used from actually plays an important role in licensing compliance.
Microsoft VDA (virtual desktop access) licenses have a provision for home use called Extended Roaming Rights (ERR). As long as the person accessing a virtual desktop has a device at work with VDA (remember that if the operating system on a user’s desktop is covered by Software Assurance under the terms of an Enterprise Agreement than it also includes the benefits of VDA), then they’re allowed to access it from any personally-owned device, anywhere, as long as it’s not at work. This privilege applies to the one—and only one—primary user of the VDA-licensed device. For the non-VDA external device, it doesn’t matter whether it’s a laptop, a tablet, a kiosk in a hotel, or any other device (whether personal or corporate owned), as long as the user is outside of their company’s or affilliate’s office, there’s no need for another VDA license. (Imagine someone saying “I felt like working from my own MacBook instead of the corporate thin client in my cubicle, so IT sent me to the Starbucks across the street.”)
When on premises, though, things get more expensive, because any device used to access a virtual desktop at work must have a VDA license, regardless of whether or not the user’s primary endpoint is licensed for VDA. In other words, ‘where’ you access your virtual desktop/application from does matter. Say an employee has a desktop with VDA (because it has SA), and they use it to access a virtual desktop. If that employee wants to use another device—perhaps a laptop or tablet so they can access their virtual desktop while in a conference room—then that device needs a VDA license. The key point to understand here is that at work, every endpoint device that’s used to access a virtual desktop in the data center needs to be covered by SA. If the extra device is a corporate laptop, and it has SA, then it already has a VDA license. But say for example that an employee, tired of being chained to their desk, brought in a MacBook from home. The company would now need to provide another VDA license. That MacBook was perfectly fine at Starbucks, but now it’s costing the company more money. The employee asks, “What about my iPad? No? How about my Kindle Fire? No? Really? That stinks!” At the end of the day, the company can either choose to shell out the money or to just say no; it’s certainly an equally frustrating situation for the both the employee and IT. Also, regarding this situation, Nathan emphasized that it is the company’s responsibility to audit this which is why having updated IT policies and continually educating end users is important to stay compliant with not just Microsoft software, but any software.
Luckily, with Remote Desktop Session Host, ‘per-user’ RDS CALs make everything much, much easier. These types of client access licenses work anywhere, from home or at work, from any device, as many devices as the user wants...anything! It really is just that easy. Great, right?
Now imaging the potential for problems in environments that mix RDS and VDI. What do you do, send an email to all your employees telling them that if they’re using RDS it’s okay to bring in their personal MacBook/tablet/whatever, but if they’re using VDI, it’s not? This is super confusing for the employees, because among other issues, it’s pretty likely that they can’t even tell the difference—after all, the RDS sessions could have Aero turned on so they look like Windows 7 desktops and not Windows Server, the VDI sessions might be built on a shared image so they feel like RDS, and the users probably click on the same icon to reach both types of desktops!
What about other applications, like Office?
Now let’s throw Office into the equation. All the above scenarios assumed that beyond the VDA license there wouldn’t be any problems with any other software, but unfortunately most of the time users will need more than just an empty desktop shell. I’m just going to talk about Office here because of its ubiquity and for the sake of my sanity.
Office must be licensed on every single end point on company premises that is used to access it. Remember that per-user RDS CAL that was so great? Well, if users need to access Office on those RDS desktops on premise, then every endpoint needs a license for it—a personal MacBook, tablets...everything. All the benefits are gone, and these are now essentially the same restrictions as with VDA because ‘client’ software like Windows 7 and Office are all licensed only by endpoint.
However, Office licenses that are covered with SA also have ERR, so if the user has a primary device at work that has Office/SA, then they can access Office from home or a coffee shop using their own personal device. This works exactly the same as the ERR SA benefit of VDA.
How does Microsoft keep track of this? The truth is that it’s nearly impossible, and a lot of this is based on the honor system. But since IT has to make an effort for compliance reasons, the end result could often be having to say ‘no’ to personal devices. We all know what the result of that is, and that’s the concept that we’ve been calling FUIT. The users will do whatever they need to do to get around IT and work the way they want to, causing more headaches for everyone involved. At the end of the day, the result is that more devices equals more costs, which frankly shouldn’t be a shocker.
The CoIT issue
These licensing issues are pretty screwy, but all of the above scenarios assume that the users want to be accessing desktops and desktop software. These problems have been around for a lot longer than the current consumerization trend. Now, however, there’s much more potential for users to bring extra devices in the office, or want access with more devices. It could be a nightmare—the next hot new device comes out, and a few people bring it in—suddenly there are more Office licenses or VDA licenses to buy.
Let’s back up. I said that these scenarios assume that employees are accessing desktops and desktop software from all these devices. But do you think for a second that anyone thought to themselves, “I’m going to buy this iPad so I can access a Windows desktop”? It’s a lot more likely that they’re going to go buy Evernote, Docs To Go or QuickOffice.
New devices may create the potential for more licensing costs, but if that’s what worries you about consumerization and BYOD, then you’re approaching it wrong! These costs will certainly be a factor to consider, but more importantly, you should be worrying about how to get all your users to install vetted apps from a corporate app store, deciding on a SaaS strategy, or worrying about providing secure document sharing so employees don’t use Dropbox. Of course, it’s likely that the person in charge of licensing compliance at a company is not the same person that’s worrying about consumerization strategy, and that will remain a tough problem to get solve.
There’s a lot that we didn’t cover here, like VDA for contractors, VDA for devices that are shared between multiple users, applications other than Office. It’s so hard to cover everything in one article that it’s best to just figure out your actual requirements and then head to Microsoft to find out what you need to cover all your bases.
Don’t like dealing with all this? Mobile devices, other platforms, and the evolution of Microsoft licensing itself (such as the fact that before Server 2003 there were no per-user TS CALs, and VDA used to cost extra for endpoints with SA, for example) will provide alternatives. For right now, though, when it comes down to BYOD and CoIT strategy, does anybody actually worry about the licensing costs more than other aspects?